Configure allowed container registries

[VirtualEvan]

Is there any allowlist configuration for registries, or a flag that would forbid access to registries not specified in machine.registries.config.*?

I have read, and am currently using, the documentation for configuring mirrors and custom registries
https://www.talos.dev/v1.9/reference/configuration/v1alpha1/config/#Config.machine.registries. However, I haven't been able to find a way to block access to other repos.

Let's say I want my users to be able to pull from our private registry that serves as a pull-through-cache for docker.io and contains some custom images. I also want them to be able to pull directly from mcr.microsoft.com. So I have the following configuration:

machine:
  registries:
    mirrors:
      docker.io:
        endpoints:
          - https://myregistry.example.com/v2/docker.io
        overridePath: true
        skipFallback: true
    config:
      myregistry.example.com:
        auth:
          username: <user>
          password: <pass>

This works, but it also allows the user to pull from registry.malicious.bad. I am looking for something like:

machine:
  registries:
    allowList:
      - myregistry.example.com
      - mcr.microsoft.com

or

machine:
  registries:
    configuredOnly: true

[smira]

Yes, there is such way (but not obvious):

1. Configure all allowed registries explicitly.
2. Add * (catch-all) entry, and point it to an endpoint which doesn't work (e.g. 127.0.0.1:1), and disable fallback.

Any not explicitly configured registry pull will fall to *, fail, will not fallback, and fail completely.

[VirtualEvan]

Thank you the immediate response. It works great!